UNC2682

UNC2682 is a Mandiant-tracked intrusion activity cluster associated with post-exploitation activity on SonicWall Email Security (ES). In the described intrusion, the actor deployed a web shell on a SonicWall ES server, gaining command execution with inherited NT AUTHORITY\SYSTEM privileges, and attempted to reduce visibility by clearing the SonicWall webUI log file. Mandiant states it prevented UNC2682 from completing its mission, and the actor’s ultimate objectives remain unknown. Observed tradecraft included heavy use of living-off-the-land techniques for credential access and post-exploitation. UNC2682 exported the HKLM\SAM, HKLM\SYSTEM, and HKLM\SECURITY registry hives, and used rundll32.exe with comsvcs.dll MiniDump to dump memory from lsass.exe and the Apache Tomcat process. The actor staged data by using an existing 7-Zip installation to compress a subdirectory of \data\archive, which contains daily archives of emails processed by SonicWall ES. After a pause consistent with offline password recovery attempts, UNC2682 moved laterally because the victim reused the same local Administrator password across multiple domain hosts. For lateral movement and remote execution, the actor used Impacket WMIEXEC.py over DCOM/WMI, followed by brief internal reconnaissance before containment and removal. No additional aliases, sub-groups, or nation-state attribution are provided in the content beyond the Mandiant tracking name UNC2682.